Nomx Researchers Defend Work, Dispute Unfair Test Claims

Will Donaldson, CEO and CTO of nomx, has continued to claim that his email security tool is secure, that tests by UK researchers were not fair and an up-to-date version is available for testing.

After UK researcher Scott Helme and Professor Alan Woodward from the University of Surrey released research about vulnerabilities in the nomx technology, Donaldson issued a statement to press which claimed that the devices which were powered by the Raspberry Pi “were primarily used for demonstration and media use.”

In Infosecurity’sstory published yesterday, it was alleged by Helme and Woodward that the nomx box failed on a number of security promises, and contained mostly outdated software.

Donaldson claimed that one of the early devices was provided to the BBC which was later provided to Helme. “Rooting was done, in his words, by taking the memory card from the Raspberry and inserting it into his PC, and then resetting the root password,” he said.

“This process allowed him to access the nomx from his local network. He then created a very specialized code that was unique to the management page of the nomx device he had in his possession. This code originated from a Cross Site Request Forgery, requires users to click a link or visit a hacked website, and that link then performs actions from the users’ browsers when it downloads the package from the internet.

“After he created the code, he loaded it to his own webpage to target the nomx device he had previously rooted and was in his possession and on his own network. He then simply modified the nomx data through a website link that he clicked himself. The act of the attack would require very detailed information about the local nomx device and a subsequent phishing link sent to the proposed victim, or visiting a third party compromised website, and the victim must have been logged in to their nomx device initially and then accept the phishing link or visit the compromised website.”

Donaldson claimed that because of this effort, “the threat was non-existent for our users, even if they were to have an earlier versions and code.” He accused Helme of not being fair or accurate in his findings, “because no nomx devices were actually compromised or could be compromised unless the users were to take those steps, which could not occur in a real-world situation outside of the lab.”

BBC technology reporter Dan Simmons confirmed on Twitter that the nomx boxes given to him and BBC Click “were offered as ‘as sold’ and not test units nor prototypes.”

Helme told Infosecurity that he would be happy to be involved in testing the boxes, and did not understand why they needed to be in the USA and could not be shipped to the UK.

Woodward said that Donaldson’s comments were “typical of the interactions we have had during this whole process” and he sought to “move the work into a scenario where nomx control how we can operate and control the ‘rules of the game’. We do not intend to do that as it is not a proper test of the device.”

Woodward further claimed that other researchers have found other ways to exploit the box, and “we would be delighted for nomx to ship us a new box today and we’d see if it solves the vulnerabilities we identified” as the Raspberry Pi version was still available on the nomx website.

Donaldson claimed that “when confronted with a real-world opportunity to prove their claims, they backed out” and “when given the opportunity to actually hack a nomx device that was not in their possession, or rooted, or on their own network, they didn’t.” He also released Helme and Woodward’s email addresses in an email to press.

Woodward confirmed that he and Helme gave “no such permission for our emails to be sent out but if anyone has a problem with our work we would really like to hear from them, especially if they feel that they believe the nomx box provides the ‘absolute confidentiality’ claimed on their website.”

He also said that where Helme had ‘grudgingly accepted’ that the box cannot be compromised, Donaldson was “being most definitely economical” with the truth.

“Scott has had only the one verbal interaction I’m aware of and I’m sure I’ve seen the other emails, and in none of that did either of us claim that the box could be compromised in 10 minutes [nor] did we subsequently confirm his assertions about it not being possible to compromise his test box,”. he said.